Nov 28, 2013

Automatic MITM (arp poisoning) shell
script that features tools like sslstrip, dsniff and ettercap. The
script collects all packets, including SSL traffic collected with
sslstrip and logs all the URLs using uslsnarf from dsniff collection.
You are welcome to submit bugs, feature requests and improvements.

This project is designed to run on Embedded ARM platforms (specifically v6 and RaspberryPi but I'm working on more).
It provides users with automated wireless attack tools that air paired
with man-in-the-middle tools to effectively and silently attack wireless
clients.
Some of the tools included in the kit are:
Custom regex-based DNS Server
DHCP
Aircrack-ng suite
Browser Exploitation Framework (Preconfigured for metasploit)
Metasploit
Python-based Transparent Injection Proxy
Pushbutton configuration
"Limpet Mine" mode for attacking existing networks
You basically answer three questions in the start script, wait a bit, then log into the BEEF console to start attacking clients

Nov 24, 2013

A
persistent / stored XSS vulnerability is detected in the official Google
Gmail IOS Mobile Application. The vulnerability allows remote attackers
to inject own malicious script code to a vulnerable module on
application-side (persistent) via mail attachment feature. All
iPad/iPhone users are affected directly with this vulnerability.

During
the testing it was discovered that .html files can be attached to
outgoing emails. Viewing these attachments directly from your
iphone/ipad device results in successful execution of malicious script
code. The application does not seem to perform secure parsing in this
case. Attackers can use this feature to exploit Gmail IOS users by
injecting malicious iframes and redirecting users to external domains.

Vulnerable Module(s):

[+] Compose Mail > Attach Files

Proof of Concept:

=================

1) Open any text editor and paste the payload and save the file as a payload.html